Solved Desktop Adverts

[elbmek]

Sorry #david, adaware installed stuff I did not want, changed my search engine and installed toolbars without my knowledge or acceptance. It also failed to find premiumoptions

 

[elbmek]

just been into iobit again, and start menu programs, services, found folder but cannot delete it but it is now disabled, I hope.

adaware did not find it

 

[XweAponX]

Adaware, is a very lousy program, and it has become malware itself these last few years.

You have something in your system, which is loading up a list of spam sites, and telling IE to pop them up at random times.

Copy the link address from that spam link you posted, and do a search for it in Regedit. See if it comes up, it should be in a list of a bunch of similar spamsites. When/if you find it, delete the whole list.

I suppose the final thing you can do is run "Combofix" - But be very careful. Also, run "Hijackthis" and post the results, lest us see what it finds.

HiJackThis | Free software downloads at SourceForge.net

 

[elbmek]

I did have chrome as default until a few hours ago, the pc was really slow, so I did another scan and it found 22 malware in Chrome, so out it went. Using IE10 as only browser now. The machine is appreciably faster too. I have a copy of hijhack downloaded but will rake your link as its probably more up to date

 

[elbmek]

hijack this log

In what section would I look for this in regedit, been thought it but not successfully

 

[XweAponX]

OK having a look now...



O2 - BHO: WebCake Layers - {2A5A2A90-3B30-4E6E-A955-2F232C6EF517} - C:\Program Files\Web Cake\WebCakeIEClient.dll

Get rid of that.

If you have "Yontoo Layers" installed? Delete it immediately, uninstall it then delete any leftover folders. But get rid of that Webcake thing, I think it is your problem

There are a bunch of questionable things in there, but that one is probably the main culprit.

In Hijack This, select that, then hit "Fix". Then delete the program files. You may have to reboot.

 

[elbmek]

on my way

 

[XweAponX]

There are a few other things in there, I'll keep looking.

O23 - Service: WebCacheService - Data Dynamics - C:\PROGRA~1\COMMON~1\Data Dynamics\ActiveReports Pro\WebCacheService.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe

the first one, not sure what it is, but the second on, I've seen some MASSIVE complaints about that on the net. And any "Paretologic" programs.

This guy cites links from Prevx and others as to the nature of Xsoftspy. It's another virus.

Any opinion on XoftSpy SE? - Yahoo! Answers

 

[elbmek]

xsoft was something I tried and failed with today - prog deleted. The windows comes up with you are not allowed to make changes and refuses to let hijack this delete the line. I am admin by the way

it says go here: sys32/drivers/etc/hosts and delete line but this is all that shows

102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

 

[XweAponX]

Then use Unlocker to delete the actual program and then delete all entries to it in Regedit.

 

[XweAponX]

Maybe you can get rid of Xfostspy using Hijackthis in safe mode...

 

[elbmek]

OK they gone. what I did was instead of just ticking one, I ticked all three together and, apparently, they have gone!!! Oh please yes!!

just done hijack this again, the lines are still there, after reboot

If these are lines in registry, can I do a manual deletion? If so where?

I had not deleted Xoft but have now

 

[XweAponX]

OK you also have Snapdo - It is a continuous feed of junk:

Delete these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snap.do/?publisher=TightropeYB&dpid=TightropeYB&co=GB&userid=2b4d0d3e-d700-4966-b912-f8dbe818cd22&searchtype=ds&q={searchTerms}&installDate=22/03/2013
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Search

And these

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/?publisher=TightropeYB&dpid=TightropeYB&co=GB&userid=2b4d0d3e-d700-4966-b912-f8dbe818cd22&searchtype=ds&q={searchTerms}&installDate=22/03/2013
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.snap.do/?publisher=TightropeYB&dpid=TightropeYB&co=GB&userid=2b4d0d3e-d700-4966-b912-f8dbe818cd22&searchtype=ds&q={searchTerms}&installDate=22/03/2013

Does Snapdo come up as a search engine? It Ain't a search, it's a virus!

How to Remove Search.Snap.do Virus from IE/FF/Chrome? (Snap.do Toolbar Removal Guide) | Anvisoft - Labs

(Solved) How to Remove Snap.do Search from Chrome, Mozilla , IE

 

[elbmek]

no snap do found, web cake folder deleted, no yontoo found. I know where most have come from my daughter is forever downloading, I keep telling her to untick boxes!! AGH!

Hijack this keeps telling me system wont let me delete these!!! And points me to here:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

 

[XweAponX]

It's your HOSTS file and there is nothing in there at all, if in fact that is your hosts file.

I don't care what it said somewhere else, those entries were in your PC, HijackThis showed them. It's an infection, not a Program. So parts of it cannot be uninstalled, just have to remove the pieces of it.

So, the popups have stopped? If they have mark this as Solved. At any rate my original assessment has been proved, you had a virus. Might still have parts of it, some viruses are so bad that there is nothing to do but Format C:

But if you do that, I would suggest securing the drive, use a Zero-Write program to write 0's on the whole drive.

 

[elbmek]

I am more than grateful for your help, you have been brilliant. I shall wait now and see how things pan out. At least I know where to look if reqd. Thanks again.

 

[David Bailey]

Sorry #david, adaware installed stuff I did not want, changed my search engine and installed toolbars without my knowledge or acceptance. It also failed to find premiumoptions

You need to pay attention when installing something.
If you would have read the prompts as you installed it none of that would have happened.

***************************************************************************

EDIT-- I say it is a good program because it keeps adware & spyware out.
It tells me when it finds something & gives me the option of what to do with it.
I don't just say it is good.
I know it is good from the results I get from it.

This edit isn't pointed at you elbmek.
Just anyone who says it is a bad program without giving reasons why they say it is a bad program.

***************************************************************************

Getting unwanted stuff installed by not reading the install prompts is easy to have happen.
I've done it myself.
I learned to go slowly when installing anything.
I suggested AdAware because I thought your problem was adware related.
Sorry it didn't help.
I hope you find a solution soon.

 

[Hopachi]

The people who make these things try to make them look like the system generated it.

One way to possibly protect yourself is to "Personalise" your Windows GUI (e.g. change the Font Type, Font Style or the Colour Scheme).
This only works against poorly written malware.

Years ago I saw one of those fake XP alerts.
I knew it was a fake message as it used the default blue colour scheme (I was using the XP silver scheme).

Yeah, saw those too...
They always pick the most used theme globally (as they can detect which browser you use, what system, they can also detect which color scheme is used).
That's why I always use some light modified theme and not the mainstream one. AeroLite for instance.

There are of course some users that amaze me as well: very sophisticated highly modified, custom themes but you don't see this everywhere of course.

Ads using Aerolite Scheme? Don't see those yet because AeroLite looks uglier than Aero to most. So if 2 guys from the whole bunch of Win8 users use a specific theme and all the rest use the default one, then you've guessed how ads/popup windows will look next.

 

[caperjack]

2 program i use and recommend for malware removal are Malwarebytes ans SuperAntiSpyware, and i run both on computers regular customers of mine to remove malware with good results ,some are nastier than others and may require a bit more work ..

 

[XweAponX]

Well, David, if AdAware works for you, then use it- It's simply too difficult to install Just Ad Aware all by itself without the utter CACK that's tacked onto it which cannot be avoided without extreme difficulty. It must be difficult to see the prompts for the extra stuff. I know with me, I look at every aspect of every installer with intense scrutiny, so I would have been able to avoid installing the malware that comes with adaware.

But most people who simply download programs and install them, really don't know where to look to find out how to avoid this. Actually most people do not understand they are being forced to install programs they never wanted. There are two programs that are on my permanent Shi-ite list: IMGburn and Ad-Aware. Both of them deliberately hide the malware installers so they are very difficult to avoid installing.

Distributors of software that do this need to be run off the face of the earth, I don't care HOW "good" the software is. I use an old version of IMGburn which does not have the forced malware installations, and I've never updated it since they started practicing this kind of invasion. ElbMek's Problem is based on this practice, and Ad-Aware participates in it, which makes them propagators of the problem rather than part of the solution.

If you have Malwarebytes, I would nto bother with "SuperAntiApyware" - it's a borderline program, and it should not be installed as to run in "Resident" mode, because it causes a bunch of problems. But it's fine for single-use scanning.